Documentation

Guides for protecting production JavaScript

Reference guides for release workflows, command-line usage, cross-file protections, and the desktop app.

Inside the Docs

Practical guides for real release work.

How-to guides Start with release sequencing and command-line usage, then move into feature-specific references.
Advanced protection Browse cross-file controls like Replace Globals and Protect Members when a build spans multiple scripts.

Enterprise Governance Foundations

  • RBAC, scoped tokens, hash-chained audit events, OIDC/SAML trust configuration, organization directory, SCIM 2.0 user lifecycle core
  • account-scoped organization records, hash-only SCIM tokens, durable directory users, and hash-chained audit events
  • apply the SQL migration and configure an identity provider before enabling SSO enforcement

The jso-protector/governance module gives release tooling a shared authorization, identity-configuration, provisioning, and audit contract. The account dashboard now adds durable organization, SCIM-token, directory-user, and audit storage plus a bearer-authenticated /v1/scim/Users.ashx endpoint. Apply App_Data/CreateEnterpriseGovernanceTables.sql before enabling it.

Role-based release policy

Built-in roles are owner, admin, developer, reviewer, and viewer. Permissions distinguish protection runs, project changes, evidence export, member/token administration, billing, and audit review.

const governance = require("jso-protector/governance");
const policy = governance.createGovernancePolicy({
  members: [
    { id: "release-bot", role: "developer" },
    { id: "security-review", role: "reviewer" }
  ]
});

if (!policy.authorize("release-bot", "protect").allowed) {
  throw new Error("release actor is not allowed to protect this build");
}

Scoped automation tokens

Token descriptors validate known scopes, expiration, and revocation metadata without storing or printing the secret. Supported scopes cover protection, evidence read/export, project changes, and audit read access. The hosted service must still authenticate the token and enforce the result server-side.

Tamper-evident audit trail

Each local audit event includes its sequence and the SHA-256 hash of the previous event. verify() detects changed, removed, or reordered evidence before a release packet is handed to a reviewer. Store the resulting events in your governed log destination; this local chain is not a substitute for hosted immutable retention.

Enterprise identity and SCIM lifecycle

validateEnterpriseIdentityConfig() validates HTTPS OIDC issuer/client configuration or SAML SSO/entity/signing-certificate configuration, verified domains, enforcement mode, and default role. After the deployment adapter verifies the assertion signature, authenticateEnterprisePrincipal() enforces issuer, audience, expiry, nonce, verified email, and organization domain before mapping a role. The hosted /v1/scim/Users.ashx route supplies bearer-authenticated SCIM create, read, filter, replace/patch, and deactivate behavior with organization isolation; tokens are displayed once and stored only as SHA-256 hashes.

const directory = governance.createOrganizationDirectory({
  organizationId: "customer-42"
});
const scim = governance.createScimService({
  directory,
  bearerToken: process.env.JSO_SCIM_TOKEN
});

// Mount through the HTTPS adapter used by your deployment:
const result = scim.handle({ method, url, headers, body });

Hosted enterprise boundary

Organization and SCIM directory persistence are implemented in the hosted product and administered at /dashboard/enterprise-governance.aspx. Production rollout still requires the database migration, backup/retention policy, IdP metadata exchange, and an OIDC/SAML callback that verifies provider signatures before creating a session. The presence of these controls is not a SOC 2 certification; certification requires an independent audit of operating controls.

Try this in the online obfuscator

Paste your own code and see this option applied, or compare plans for larger projects and the desktop app.

Try It Free See Pricing